IN SEARCH OF THE PERFECT SECURITY METAPHOR

Warnings are legion about the security and privacy threats to information and transactions on the Internet.

The needed solutions, though available through data encryption and related technologies, may not yet be ready for mass implementation. But there is no shortage of colorful descriptions for the security problem - in terms that don't exactly encourage the public acceptance for which promoters of electronic commerce yearn.

At least give the commentators credit for originality. The muse appears to have visited people known for other kinds of inspiration, better understood by computer industry insiders.

"The Internet is made of glass," said Tom Steding, president and chief executive officer of Pretty Good Privacy Inc., an encryption system provider and data security crusader. "Anyone can see what you're saying or doing with relative ease."

Unless, of course, you go in for PGP's protection technology.

Scott McNealy, chairman of Sun Microsystems Inc., waxed metaphorical while trying to put across his notion of the JavaStation network computer in a recent television interview.

Explaining the security advantages of the NC over a personal computer based on the Microsoft Windows operating system (which Mr. McNealy sees as the enemy), he said: "The beauty of Java is, it's a secure language. You can write an application, download it; it's verified before it runs; and it runs in a virtual machine layer - a prophylactic if you will - a safe computer layer so that you can't introduce viruses.

"I mean, Windows is the petri dish of choice out there on the Internet. This whole concept of a Java client . . . allows you to download something off the great unwashed Internet and run it in a safe way."

Transaction-security descriptions have gone almost highbrow since the "restaurant metaphor" first visited credit card circles.

Even before MasterCard and Visa began promoting their Secure Electronic Transactions protocol (see below), industry experts were saying card payments over computer networks were less risky than entrusting a card to a waiter for authorization and imprinting. (The economist Lester Thurow, himself a victim of account-number theft, would extend this lesson to any retail setting. See page 4A.)

Variations of the restaurant metaphor have emerged, seemingly to educate bankers on the issue. At a conference last year sponsored by payment systems consultant George White, Robert Leahy, editor of the Leahy Newsletter, likened Internet transactions to jewelers' sending emerald rings through the mail. They do that often, and safely, Mr. Leahy said. Would-be thieves are stymied because they can't discern a pattern for intercepting the valuable mail. Internet payments would be a big problem, he said, if they became popular and widespread enough to make hacking attractive.

Kawika Daguio, the American Bankers Association's resident expert on emerging payment systems and their risks, made his concerns about various digital cash schemes plain by comparing them to "handing over a passbook."

That once-common means of keeping track of savings account balances "may have secure paper that resists erasing or indicates an attempt to tamper. But would you turn it over to someone and say, 'Here, take what you want, and bring it back when you are finished?' "

No banking leaders have sounded the security warning more loudly or articulately than Colin Crook and the technology R&D team at Citicorp. Mr. Crook, the senior technology officer, has raised the specter of information warfare - attacks on the country through the banking system. The answer: "exceptional defenses" and "no compromises" on the level of encryption in financial networks.

To bring that down to the point of sale, Mr. Crook described the potential hazards in stored-value cash cards as "like giving your wallet to a stranger and saying, 'Take your money, and then tell me how much I have left.' It's an act of faith. Many scams are possible."

"Authenticate the user, and never trust a network," he said.

"We don't allow unsafe vehicles, no matter how cheap they are," James Brown, a consumer advocate based at the University of Wisconsin, told the Treasury Department's electronic money conference last September. "Why should money be any different?"